b'AUDIT OF PAYMENTS TO CIBER, INC.\n\n\n\n        Audit Report No. 00-021\n              June 2, 2000\n\n\n\n\n       OFFICE OF AUDITS\n\n OFFICE OF INSPECTOR GENERAL\n\x0cFederal Deposit Insurance Corporation                                                                 Office of Audits\nWashington, D.C. 20434                                                                    Office of Inspector General\n\n   DATE:                            June 2, 2000\n\n   MEMORANDUM TO:                   Arleas Upton Kea, Director\n                                    Division of Administration\n\n                                    Donald C. Demitros, Director\n                                    Division of Information Resources Management and\n                                    Chief Information Officer\n\n\n   FROM:                            David H. Loewenstein\n                                    Assistant Inspector General\n\n   SUBJECT:                         Audit of Payments to CIBER, Inc. (Audit Report Number 00-021)\n\n\n   The Office of Inspector General (OIG) has completed an audit of payments made to CIBER, Inc.\n   (CIBER). As of March 1, 2000, the Federal Deposit Insurance Corporation (FDIC) had expended\n   $17 million of $20.5 million in funds authorized under eight open delivery orders with CIBER. This\n   review has identified billing allowability issues and offered contract administration-related\n   suggestions to assist management in the completion of these eight delivery orders and three recently\n   awarded delivery orders valued at $10.2 million. During the course of our audit we communicated\n   our concerns and suggestions to management to enable more timely consideration of this\n   information. This is one of four ongoing OIG audits of the Division of Information Resources\n   Management (DIRM) delivery order-type contracts.\n\n   BACKGROUND\n\n   The General Services Administration (GSA) Federal Supply Service (FSS) leverages the\n   government\xe2\x80\x99s buying power to help federal agencies save time by acquiring goods and services\n   through pre-established contracts. The FDIC used GSA\xe2\x80\x99s pre-established contracts for IT\n   services and competitively awarded eight delivery orders1 to CIBER between April 7, 1998 and\n   December 23, 1998. CIBER\xe2\x80\x99s contract with GSA (GS-35F-4541G) is effective for the period\n   covering July 2, 1997 through March 31, 2002 and dictates experience requirements and hourly\n   billing rates by labor category for CIBER personnel.\n\n   Through the delivery orders, CIBER is providing System Development Life Cycle support\n   services for the Assessment Invoicing and Management System, the Multi-Tier Application\n   Architecture Project, and the Electronic Travel Voucher Payment System. The delivery orders\n   also engaged CIBER to support new and existing systems used by the Division of Resolutions\n   and Receiverships (DRR), the Division of Supervision (DOS), and other DIRM clients, including\n\n   1\n    Delivery orders are orders for supplies or services placed against an established contract or with government\n   sources for supplies.\n\x0cthe FDIC\xe2\x80\x99s executive offices. CIBER is a provider of strategic management and information\ntechnology consulting, enterprise applications, enterprise and network integration, application\nhosting, and custom business solutions. The firm has 6,700 employees with offices in 45 cities\nin the U.S. and 2 cities in Canada.\n\nCIBER\xe2\x80\x99s delivery orders are time and materials-type contracts in that they provide for services\nbased on direct labor hours at fixed hourly rates plus the cost of any necessary materials.\nAccording to the FDIC Acquisition Policy Manual (APM), time and materials contracts are used\nwhen the Contracting Officer determines that fixed-price contracting (the preferred method) is\nnot practical. Time and materials contracts make sense when it is difficult to provide a detailed\nstatement of work or to estimate the price or duration of the time required for contract\nperformance. The APM states that time and materials contracts should be used with caution\nsince they provide no positive profit incentive to the contractor for price control or labor\nefficiency. The APM further states that the FDIC shall provide the appropriate oversight of\ncontractor performance to ensure that efficient methods are being used.\n\nCIBER used subcontractors to perform certain tasks within some of the delivery orders. In its\nproposals, CIBER specified subcontractor level of effort and a percentage of mark-up it would\napply to subcontractor billings. The GSA contract is silent regarding CIBER\xe2\x80\x99s ability to mark up\nsubcontractor billings. Because subcontractor markups were not expressly prohibited, they were\nconsidered an allowable charge.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe primary objective of the audit was to determine whether the billings submitted by CIBER\nwere adequately supported and allowable under the terms and conditions of the GSA contract\nand FDIC delivery orders. In addition, with only 41 percent of authorized funds expended\nthrough the time our fieldwork began, an objective was added to identify opportunities for\nimproving contract administration for the balance of the open delivery orders. Our audit\nincluded the 96 invoices that FDIC paid between July 15, 1998 and July 31, 1999. These\ninvoices were paid under eight delivery orders and totaled $8,334,400.\n\nThe audit methodology included the following:\n\xe2\x80\xa2 Identifying open delivery order contracts as of July 1999.\n\xe2\x80\xa2 Interviewing the Contracting Officer, four Contracting Specialists, eight DIRM Oversight\n   Managers, CIBER\xe2\x80\x99s Director of Contracts, and a GSA Customer/Vendor Relations\n   representative.\n\xe2\x80\xa2 Reviewing delivery orders 9800291CJT, 9800328HLH, 9800506CJT, 9800216CAF,\n   9800809CEU, 9801022CDY, 9800788CS2, and 9801301NS2 and the corresponding GSA\n   contract.\n\xe2\x80\xa2 Gathering and examining support for 96 invoices (100 percent).\n\xe2\x80\xa2 Reviewing the invoices for compliance with contract requirements.\n\xe2\x80\xa2 Analyzing the population for duplicate payments.\n\xe2\x80\xa2 Reviewing FDIC contract monitoring files.\n\xe2\x80\xa2 Reviewing subcontractor files.\n\xe2\x80\xa2 Reviewing CIBER personnel files for 24 employees.\n\xe2\x80\xa2 Determining whether CIBER employees working on-site billed off-site rates.\n\n                                                2\n\x0c\xe2\x80\xa2   Testing authorization of key personnel.\n\xe2\x80\xa2   Determining whether background investigations were performed for key personnel.\n\xe2\x80\xa2   Determining whether the FDIC received volume discounts.\n\xe2\x80\xa2   Testing the accuracy and completeness of inventory records for computer equipment.\n\xe2\x80\xa2   Testing billing rates for each labor category.\n\xe2\x80\xa2   Analyzing variances between budgeted and actual labor charges for all labor categories.\n\xe2\x80\xa2   Providing DIRM, Acquisition and Corporate Services Branch (ACSB), and CIBER staff with\n    preliminary findings to verify factual accuracy, solicit input into the causes of findings, and\n    develop workable recommendations.\n\xe2\x80\xa2   Obtaining a management representation letter from CIBER\xe2\x80\x99s Director of Contracts providing\n    assurance of the truth, accuracy, and completeness of information provided by CIBER\n    officials during the course of the audit.\n\nWe did not perform audit steps aimed at drawing conclusions on qualitative issues. That is, we\ndid not examine the quality of the technical services provided to the FDIC by CIBER. We\nconducted the audit from July 1999 through February 2000 in accordance with generally\naccepted government auditing standards.\n\nRESULTS OF AUDIT\n\nAlthough CIBER billings generally were supported, they were not always allowable. The\nunallowable charges relate to employee qualification issues, excessive or unauthorized\nsubcontractor markups, billing rates, and volume discounts. As a result, we are questioning\n$587,621 of the $8.3 million audited.\n\nAs an added objective, we sought ways to improve contract administration to benefit the balance of\nthe open delivery orders included in this audit and possibly other similar ones. The following\nenhancements, if implemented, will help ensure more effective contract administration.\n\xe2\x80\xa2 Reiterating to CIBER that it must adhere to the GSA contract and FDIC delivery order\n    provisions,\n\xe2\x80\xa2 Obtaining and reviewing more information from CIBER on its invoices and reviewing contractor\n    employee qualifications,\n\xe2\x80\xa2 Developing a procedure to help ensure that tasks are performed by the appropriate labor category\n    of contractor personnel,\n\xe2\x80\xa2 Requiring that CIBER provide information on equipment it has purchased and having oversight\n    managers make periodic surprise inventory counts, and\n\xe2\x80\xa2 Ensuring that the FDIC complies with GSA contract provisions when setting experience levels.\n\nCIBER BILLED UNALLOWABLE CHARGES\n\nWe identified instances in which CIBER billed unallowable charges. These unallowable charges\nrelate to employee qualification issues, subcontractor markups, billing rate issues, and volume\ndiscounts. Of the $8,334,400 in payments sampled, we question a total of $587,621, as shown in\nTable 1. A discussion of each type of unallowable charge follows the table.\n\n\n\n\n                                                 3\n\x0cTable 1: Unallowable Charges\n                            Type                                                   Amount Questioned*\n Employee Qualifications Not Commensurate with Billing Rates                                   $293,315\n Subcontractor Markups                                                                           216,974\n Rate Variances                                                                                   98,259\n Volume Discounts                                                                                 34,372\n On-Site Billing Rates                                                                            26,751\n                                                     Subtotal                                  $669,671\n                                 Less: Overlapping Amounts                                      (82,050)\n                                                        Total                                  $587,621\nSource: Analysis of files maintained by DIRM, ACSB, and CIBER\n* Includes overlapping questioned costs totaling $82,050. Overlapping affects each line item of questioned costs.\n\nEmployee Qualifications Not Commensurate with Billing Rates\n\nThe FDIC used the FSS to place eight delivery orders with CIBER under GSA contract GS-35F-\n4541G. This GSA contract dictates experience requirements and hourly billing rates by labor\ncategory for CIBER personnel. Deviations from these requirements are permitted only with a\nmodification to the GSA contract.\n\nCIBER billed the FDIC for services performed by 17 employees who did not meet the minimum\nlevel of experience required by both the GSA contract and FDIC delivery orders (the Oversight\nManagers identified 4 of these employees as key personnel2). A comparison of the rates billed to\nrates appropriate for their actual level of experience shows that CIBER over-billed a total of\n$293,315 for these 17 employees. In one example, a delivery order required that an individual with\n6 years of experience fill a position as an Applications Developer IV. This labor category was\nauthorized to bill at an hourly rate of $86.34. However, CIBER filled this position with an\nindividual having only 1 year and 10 months of experience. Thus, this individual qualified as an\nApplications Developer I with an hourly billing rate of $52.02. We calculated over-billings by\nmultiplying the difference of $34.32 by the number of hours billed. We performed similar analyses\nfor the other 16 employees whose experience did not match the hourly rates billed to calculate total\nover-billings of $293, 315.\n\nSubcontractor Markups\n\nOur audit disclosed several issues related to subcontractor markups. The GSA contract is silent\non the issue of subcontractor markups. Because subcontractor markups were not expressly\nprohibited, they were considered an allowable charge. Of the $8.3 million in payments audited,\nCIBER billed a total of $275,718 in subcontractor markups. However, we identified that CIBER\nexceeded agreed-upon markup percentages and that several subcontractors were not authorized.\n\nWe found that CIBER charged markups that exceeded agreed-upon percentages. The standard\nFDIC Request for Quotation (RFQ) used to solicit firms required bidders to include in their\nproposals the markup they intended to use for subcontractors. During the negotiation and award\n\n2\n    Key personnel are the contractor\xe2\x80\x99s employees designated to perform essential work under the contract.\n                                                         4\n\x0cprocess for the selected contractor, the FDIC Contracting Officer was then required to review\nthis markup as part of the subcontractor approval process.\n\nCIBER submitted six proposals that expressly stated (1) the name of the subcontractor firm and\n(2) the percentage of markup that would be applied to subcontractor labor. However, we\nidentified instances in which CIBER billed the FDIC using a greater percentage markup than\nstated in these proposals. We also identified instances in which CIBER used subcontractors\nwithout the authorization of an FDIC Contracting Officer as required by the delivery orders.\nLike other vendors, subcontractors are subject to fitness and integrity standards and the FDIC\nwas not able to ensure that the subcontractors were suitable to perform work for the FDIC.\nCIBER billed $129,142 for amounts in excess of cost plus the authorized markups. CIBER also\nbilled $87,832 for amounts above cost for unauthorized subcontractors. Therefore, we are\nquestioning costs totaling $216,974.\n\nIn a related vein, CIBER submitted three proposals that expressly stated the percentage level of\neffort that would be performed by subcontractor labor. This percentage dictated the level of\ncontrol necessary for the contractor to thoroughly monitor subcontractor performance. We\nidentified two delivery orders in which CIBER billed the FDIC a greater percentage of\nsubcontracted labor than stated in these proposals. Specifically, CIBER billed more for\nsubcontractor participation than originally stated by amounts ranging from 13 to 37 percent.\nThis greater percentage of subcontractor participation may have impaired CIBER\xe2\x80\x99s ability to\neffectively monitor subcontractor performance.\n\nRate Variances\n\nWe reviewed all of the 96 CIBER invoices for compliance with the GSA labor rate schedule.\nInformation recorded on these invoices included the name, hourly rate, and hours billed for\nindividuals charging time but not the labor category. Thus, we were required to trace the hourly\nbilling rate to the GSA labor rate schedule to obtain this information. We then confirmed the\naccuracy of labor categories with the responsible FDIC Oversight Managers.\n\nWe found 161 instances in which CIBER billed the FDIC using hourly labor rates higher than\nthe prevailing GSA schedule rates. Our review indicates that in total, the FDIC paid $98,259 in\nexcess of GSA\xe2\x80\x99s authorized rates.\n\nVolume Discounts\n\nCIBER agreed to provide volume discounts for labor hours used in three of the sampled eight\ndelivery orders. The discount was calculated based on a graduated scale. For example, in one\ndelivery order, a 1-percent discount was offered for amounts expended exceeding $1 million up\nto $2 million, and a 2-percent discount was offered for amounts exceeding $2 million up to the\ndelivery order ceiling. This discount was to be reflected on CIBER\xe2\x80\x99s monthly invoices.\nHowever, we identified $34,372 in volume discounts that were not passed on to the FDIC and to\nwhich it is entitled.\n\n\n\n\n                                                5\n\x0cOn-Site Billing Rates\n\nFDIC\xe2\x80\x99s delivery orders require that, with few exceptions, work be performed at CIBER\xe2\x80\x99s\nfacilities. As such, most labor hours are to be billed at off-site rates. Off-site rates are higher\nthan rates billed for work performed at FDIC facilities because of overhead costs associated with\nrent, utilities, etc. Thus, FDIC Delivery Orders provide for a lower on-site hourly billing rate in\nthe event that CIBER personnel perform work at FDIC facilities.\n\nThe DIRM Management Analyst responsible for assigning workspace at the Seidman Center\nprovided us with the names of eight CIBER employees and the dates on which they had been\nassigned FDIC workspace. CIBER billed the FDIC higher off-site rates for two of the eight\nindividuals for the period of April 11, 1998 through May 31, 1999. Thus, our review indicates\nthat the FDIC paid $26,751 in excess of the lower on-site rates for work performed by these\nindividuals.\n\nRecommendation\n\n(1) The Associate Director, ACSB, DOA, should disallow net payments of $587,621 for\nunallowable charges.\n\nCONTRACT ADMINISTRATION ENHANCEMENTS\n\nAs an added objective, we sought ways to improve contract administration to benefit the balance of\nthe open delivery orders and possibly oversight of other similar ones. The following enhancements,\nif implemented, should help ensure effective contract administration:\n\xe2\x80\xa2 Reiterating to CIBER that it must adhere to the GSA contract and FDIC delivery order\n     provisions,\n\xe2\x80\xa2 Obtaining and reviewing more information from CIBER on its invoices and reviewing contractor\n     employee qualifications,\n\xe2\x80\xa2 Developing a procedure to help ensure that tasks are performed by the appropriate labor category\n     of contractor personnel,\n\xe2\x80\xa2 Requiring that CIBER provide information on equipment it has purchased and having oversight\n     managers make periodic surprise inventory counts, and\n\xe2\x80\xa2 Ensuring that the FDIC complies with GSA contract provisions when setting experience levels.\n\nCIBER Should Adhere to Contract Provisions\n\nAs discussed in detail earlier in our report, the results of our audit show that CIBER billed the FDIC\nfor unallowable charges relating to employee qualification issues, excessive or unauthorized\nsubcontractor markups, billing rate issues, and volume discounts. Criteria governing allowable\ncharges is specifically outlined in the GSA contract and/or FDIC delivery orders. Accordingly, we\nrecommend the following:\n\n\n\n\n                                                  6\n\x0cRecommendation\n\n(2) The Associate Director, ACSB, DOA, should reiterate to CIBER that it must adhere to the\nprovisions of the GSA contract and FDIC delivery orders to prevent recurrence of the unallowable\ncharges identified in Table 1.\n\nMore Information on Invoices and Added Procedures Needed\n\nCIBER\xe2\x80\x99s invoices do not contain all of the information that oversight personnel need to conduct a\nthorough review of contractor billings. Apart from employee qualification issues, we believe\ncontract specialists and oversight managers could better detect the types of unallowable charges\nidentified in Table 1 if CIBER\xe2\x80\x99s invoices included more information. For example, the invoices did\nnot identify the name of the subcontractor firms. Therefore, it was not readily apparent that some\nsubcontractor firms had not been authorized in advance. Much of the information that can enhance\ninvoice review is readily available or easy to accumulate through automated methods.\n\nRegarding employee qualification issues, our tests showed that 17 employees did not meet the\nminimum experience requirements set forth by both the GSA master contract and the delivery\norders. DIRM oversight managers identified 4 of the 17 employees as key personnel. Oversight\nmanagers did not ensure that contract employees possessed the qualifications necessary for the levels\nwithin the labor categories billed. Therefore, procedures are needed to ensure that CIBER and\nsubcontractor employees meet the experience qualifications set forth in the delivery orders.\n\nRecommendation\n\n(3) The Associate Director, ACSB, DOA, should ensure that CIBER revises its invoice format to\ninclude the following information:\n\xe2\x80\xa2 Identification of each employee by employer (CIBER or name of subcontractor).\n\xe2\x80\xa2 Subcontractor markup percentages billed and authorized.\n\xe2\x80\xa2 Cumulative subcontractor charges.\n\xe2\x80\xa2 Identification of the labor category assigned to each employee.\n\xe2\x80\xa2 Cumulative charges for each labor category.\n\xe2\x80\xa2 Representation as to whether any employees worked on-site.\n\xe2\x80\xa2 Cumulative totals tracking amounts billed and the corresponding discount.\n\n(4) The Associate Director, ACSB, DOA, and Director, DIRM, should ensure that contract\nspecialists\xe2\x80\x99 and oversight managers\xe2\x80\x99 review of CIBER\xe2\x80\x99s invoices includes steps to detect\nunallowable charges for subcontractor markups, rate variances, volume discounts, and off-site rates\nbilled for time worked on-site.\n\n(5) The Director, DIRM, should develop procedures to ensure that (a) CIBER and subcontractor\nemployees meet delivery order experience requirements and (b) subcontractors are authorized in\nadvance and their participation is limited to levels authorized in the delivery orders.\n\n\n\n\n                                                 7\n\x0cLabor Costs Need to Be Aggressively Monitored\n\nOur audit found that the labor mix used to perform tasks differed significantly from the labor mix\nproposed by CIBER in response to the Requests for Quotation. For each delivery order, CIBER\nproposed a labor mix of professional staff hours allocated over various labor categories that would\nbe used over the initial periods. At the time of our audit, sufficient time had elapsed for four delivery\norders to complete the initial periods. Analysis of these four delivery orders indicates that CIBER\nused higher compensated personnel than proposed, resulting in higher average hourly rates. For\nexample, one delivery order provided 26,400 hours of professional labor at an average hourly rate of\n$78.40. As the chart below illustrates, CIBER staffed the delivery order with higher compensated\npersonnel, resulting in an average hourly rate of $91.15 and a situation where CIBER exhausted the\nauthorized direct labor funds after expending only 22,712 hours.\n\n        Labor Category           Hourly Rate              Proposed Hours          Actual Hours\n        Project Manager          $102.99                  400                     11,398\n        Sys Analyst III          $86.34                   4,000                   8,172\n        App Developer IV         $80.80                   18,000                  334\n        Sys Analyst II           $67.62                   0                       305\n        Tech Writer II           $57.22                   4,000                   2,503\n             Totals                                       26,400                  22,712\n        Source: OIG Analysis\n\nThe other 3 delivery orders also showed disparities between actual and proposed average hourly\nrates, respectively, as follows: $91.50 vs. $83.42 with 16,000 hours budgeted; $93.66 vs. $86.16\nwith 17,500 hours budgeted; and $81.56 vs. $78.14 with 15,500 hours budgeted.\n\nAccording to a DIRM section chief, the labor mix proposed by CIBER to perform the tasks within a\ndelivery order represents an estimate of the resources that may be required. The section chief\nindicated that disparities between budget and actual that approach significant thresholds are a\nconcern.\n\nDisparities involving higher average hourly rates can bring about contract modifications where\ncontractors request increases in funding and exercise option periods earlier than planned. According\nto the APM, the oversight managers are responsible for ensuring that resources are applied at\nproposed levels, and the Contracting Officer is responsible for investigating situations involving\nmaterial deviations from the proposed labor mix. By implementing recommendation number three,\nthe oversight managers will have an added tool for tracking cumulative labor hours by delivery\norder.\n\nRecommendation\n\n(6) The Director, DIRM, should develop procedures to ensure that CIBER\xe2\x80\x99s actual staffing more\nclosely conforms to levels proposed and to notify the Contracting Officer in instances when actual\nhours begin to deviate significantly from the proposed labor mix.\n\n\n\n\n                                                   8\n\x0cControls over CIBER-Purchased Equipment Need Strengthening\n\nOur review of CIBER invoices indicates that the FDIC has paid $205,653 for CIBER\xe2\x80\x99s purchases of\ncomputer hardware/software related to the eight delivery orders. However, the Oversight Managers\ncould only provide us with limited records containing information integral to the control of these\npurchases. For example, the Oversight Managers were not always able to provide us with (1) the\nphysical location of equipment purchased by CIBER, (2) equipment serial numbers, or (3) names of\nCIBER employees assigned custody of equipment. Thus, the FDIC is in the position of relying upon\nCIBER to account fully for equipment it purchases on behalf of the FDIC. Oversight Managers\nperforming site visits to conduct surprise inspections of equipment can help remedy this situation.\n\nAccording to the APM, the Oversight Manager is responsible for maintaining an itemized list of\nproperty involved on specific contracts under his/her purview showing serial numbers, if any. The\nOversight Manager is also responsible for ensuring that delivery of the property to the contractor is\nmade in accordance with the contract. Finally, the Oversight Manager is responsible for providing\nthe Contracting Officer with a property list and a written contractor acknowledgement for receipt of\nsuch property. During our exit conference on January 21, 2000, we were informed that DIRM and\nACSB had jointly initiated corrective action in response to our audit queries of accountability over\nCIBER-purchased equipment.\n\nRecommendation\n\n(7) The Director, DIRM, should ensure that Oversight Managers make periodic site visits to conduct\nsurprise inspections of equipment and confirm FDIC official inventory records.\n\n(8) The Associate Director, ACSB, DOA, should require that CIBER provide serial numbers,\nlocations, and names of personnel assigned custody of equipment that CIBER has purchased.\n\n(9) The Associate Director, ACSB, DOA, should require that CIBER provide Oversight Managers\nwith an annual inventory of equipment purchases.\n\nCoordination and Communication Are Essential Components of Effective Oversight\n\nIt is important that the Contracting Officer and Oversight Managers closely coordinate their\nfunctions. The Oversight Manager is responsible for ensuring that the FDIC provides resources as\nrequired by the contract and for communicating the need for any contract modifications to the\nContracting Officer. However, during the course of our audit, we identified breakdowns in\ncommunication that resulted in control issues pertaining to the authorization of key personnel and the\nperformance of background investigations. We also identified inconsistencies in the application of\nFDIC policies and procedures.\n\nWe reviewed CIBER invoices to determine the names of individuals charging time to the FDIC.\nWe then provided the Oversight Managers with a list of these names and requested confirmation\nof key personnel. Although 34 individuals were identified as key personnel, we could not locate\nwritten authorization in corporate contract files for 24 of these individuals. We contacted the\nresponsible Contracting Specialists and found that they were unaware that these 24 individuals\nwere serving as key personnel. Establishing key personnel is important since the contract award\nis often based on the provision of key personnel with specific education and work experience.\n                                                  9\n\x0cThe APM specifically requires that Oversight Managers advise Contracting Officers of changes\nin contractor key personnel. After notification, the Contracting Officer is required to\n(1) determine whether the requested modification is within scope, (2) negotiate any changes\nrequired by the modification, and (3) execute the modification with the contractor. We saw no\nevidence that any of these steps had been taken.\n\nOur audit also disclosed that background investigations had not been performed for 14 key\npersonnel and 2 on-site employees. The APM requires that background investigations be\nconducted for contractors, subcontractors, management officials, and key personnel for awards\nof $100,000 or greater. The APM directs the Contracting Officer to request background\ninvestigations from the Division of Administration\xe2\x80\x99s Security Services Section before awarding a\ncontract. Background checks are also required for any new key employees. Based on our\ntesting, it appears that neither the Contracting Specialists nor the Oversight Managers requested\nbackground investigations for these 16 individuals. This control issue was also identified in the\nAudit of the Award and Administration of DIRM Service Contracts report issued on\nSeptember 30, 1999 (audit report number 99-041). The OIG recommended that the Director of\nDOA ensure that all DIRM service contractor employees have background investigations\ncompleted in a timely manner. ACSB management agreed and implemented a tracking system in\nJuly 1999. The sampled invoices pre-dated the ACSB\xe2\x80\x99s response. Because a recommendation\nhas subsequently been made related to performing background checks, we will not include one\nhere.\n\nFinally, our audit identified other areas requiring the consistent application of FDIC policies and\nprocedures. For example, we found that CIBER supervisory personnel did not always approve\ntime sheets. We were also unable to reconcile five of CIBER\xe2\x80\x99s 96 invoices with corresponding\nstatus reports. CIBER prepared these status reports to support the invoices by providing detailed\ninformation regarding services performed during the billing period. We also found that\n(1) CIBER did not always obtain a sales tax exemption for computer equipment purchases and\n(2) Contracting Specialists did not always disallow charges for sales tax.\n\nRecommendation\n\n(10) The Associate Director, ACSB, DOA, should reiterate to CIBER that it is responsible for\nadvising the Contracting Officer of proposed changes in key personnel, that exemptions from sales\ntaxes should be obtained, and supervisory review and approval of time sheets is a necessary internal\ncontrol.\n\n(11) The Director, DIRM, should reiterate to oversight managers the requirements regarding\nreconciling invoices with status reports.\n\nFDIC Should Operate Within the Scope of GSA Contract Requirements\n\nWe identified six labor categories for which the FDIC lowered employee experience\nrequirements without obtaining a GSA contract modification or reduction in hourly billing rates.\nThis audit condition involved time charges submitted by three individuals meeting the FDIC\xe2\x80\x99s\nexperience requirements but not meeting GSA experience requirements. By paying these\nemployees at the higher labor category rate, the FDIC in effect overpaid CIBER $74,291 by not\n\n                                                 10\n\x0coperating within the scope of GSA contract requirements. We are not questioning these costs\nbecause they were incurred in compliance with FDIC\xe2\x80\x99s contracts with CIBER.\n\nRecommendation\n\n(12) The Associate Director, ACSB, DOA, should ensure that the FDIC operates within the scope of\nGSA contract requirements when issuing delivery orders.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn May 11 and 12, 2000, the Directors of DIRM and DOA, respectively, provided written\nresponses to the draft report. Management agreed to implement all 12 recommendations. The\nresponses are presented as Appendix I to this report.\n\nThe written responses and subsequent correspondence regarding expected completion dates for\ncorrective actions provided the requisites for a management decision on each of the\nrecommendations in the draft report. The responses are not summarized because the actions\nplanned or already taken are identical to those recommended.\n\nBased on the audit work, the OIG will report questioned costs of $587,621 in its Semiannual\nReport to the Congress.\n\n\n\n\n                                              11\n\x0c                                   CORPORATION COMMENTS                            APPENDIX I\n\n         Federal Deposit Insurance Corporation\n         550 17th Street, NW, Washington, DC 20429                                   Division of Administration\n\n\n\n\n                                              May 12, 2000\n\nTO:                               David H. Loewenstein\n                                  Assistant Inspector General\n\n\nFROM:                             Arleas Upton Kea\n                                  Director, Division of Administration\n\nSUBJECT:                          Management Response to Draft Report: Audit of Payments to CIBER,\n                                  Inc.\n\nThe Division of Administration (DOA) has completed its review of the Office of Inspector General\n(OIG) Draft Report entitled \xe2\x80\x9cAudit of Payments to CIBER Inc.\xe2\x80\x9d The OIG identified 7 audit findings\nand made 12 recommendations, one dealing with $587,621 in questioned costs. The Draft Report\nwas also addressed to the Director, Division of Information Resource Management (DIRM), and he\nwill be responding directly for all recommendations addressed to him.\n\nRecommendations 1, 2, 3, 4, 8, 9, 10 and 12 in the Draft Report were addressed to the Associate\nDirector for Acquisition and Corporate Services, DOA, and Recommendations 4, 5, 6, 7 and 11 were\naddressed to the Director, DIRM. Even though we are not required to respond to Recommendation\n5, we have offered a clarifying comment dealing with the Contracting Officer\xe2\x80\x99s authority on the\nmatter. We do not believe our response will change or alter DIRM\xe2\x80\x99s response. Based on our\npreliminary review, corrective actions are required for all the recommendations. Exhibit A\nsummarizes the 7 audit findings and all 12 recommendations; and for the DOA-related corrective\nactions, the exhibit summarizes the expected completion dates, and the documentation that will\nconfirm completion.\n\nMANAGEMENT DECISION\n\nFinding #1: CIBER Billed FDIC for Unallowable Charges.\n\nRecommendation #1: Disallow $587,621 in unallowable charges.\n\nManagement Response: We agree with the recommendation. DOA will disallow and pursue\nrecovery of amounts that cannot be adequately supported by the contractor. We estimate final\nresolution of this recommendation by September 29, 2000.\n\n\nFinding #2: CIBER Did Not Adhere to Contract Provisions.\n\nRecommendation #2: Emphasize to the contractor that it must adhere to provisions of the GSA\ncontract and FDIC delivery orders to prevent recurrence of unallowable charges identified in the\nprevious recommendation.\n\n\n\n                                                     12\n\x0cManagement Response: We agree with the recommendation. We have discussed the issues with\nthe contractor and rewritten sections of a subsequent CIBER delivery order to prevent similar billing\nirregularities in the future. Audit findings identified in this report requiring corrective action\ninvolving contract practices and billings will be identified and communicated in writing by the\nContracting Officer to CIBER by July 31, 2000.\n\n\nFinding #3: Contractor Invoices Did Not Contain Sufficient Information to Permit A Thorough\nReview of Billings.\n\nRecommendation #3: The contractor should revise its invoice format to include information that\nwould fully disclose the charges to FDIC.\n\nManagement Response: We agree with the recommendation. DOA and CIBER have redesigned\nthe Delivery Order invoices. The new invoice format will be used by CIBER beginning with the\nJune 15, 2000 invoice.\n\nRecommendation #4: The review of CIBER invoices should include steps to detect unallowable\ncharges similar to those identified in this report.\n\nManagement Response: We agree with the recommendation. As noted for recommendation #3, a\nnew invoice format has been designed for CIBER invoices. The new invoice format will also\naddress this recommendation. The Acquisition Policy Manual (Revision 1), issued March 31, 2000,\nprovides adequate guidance on this subject and does not require a corresponding adjustment.\n\nRecommendation #5: Procedures should be developed to ensure that (a) CIBER and subcontractor\nemployees meet delivery order experience requirements and (b) subcontractors are authorized in\nadvance and their participation is limited to levels authorized in the delivery orders. (DIRM will\nprovide the Corporation\'s primary response to this recommendation.)\n\nManagement Response: Regarding employee experience requirements (Recommendation 5a),\nACSB will provide the FDIC and GSA Schedule labor category descriptions to DIRM to facilitate its\nreview of contractor personnel qualifications. DIRM will be responsible for matching resumes to\ncontractual labor categories as well as evaluating whether subcontractor employees are qualified to\nwork under FDIC contracts. After receiving input from DIRM, the Contracting Officer will modify a\ncontract, if appropriate. With respect to Recommendation 5b, only the Contracting Officer is\nauthorized to approve the DIRM subcontractor(s). The Contracting Officer will act to approve\ncontractors upon an appropriate request from DIRM.\n\n\nFinding #4: Labor Costs Need to be Aggressively Monitored.\n\nRecommendation #6: DIRM will respond to this recommendation.\n\n\nFinding #5: Controls Over Government Furnished Equipment (GFE) Purchased By CIBER Are\nInadequate.\n\nRecommendation #7: DIRM will respond to this recommendation.\n\n\n\n                                                 13\n\x0cRecommendation #8: The contractor should be required to provide serial numbers, locations, and\nnames of personnel assigned custody of Government Furnished Equipment (GFE) purchased by\nCIBER.\n\nManagement Response: We agree with the recommendation. The CIBER Delivery Order has been\nmodified and now requires the contractor to include GFE serial numbers, location, contractor\ncustodian, and other pertinent information. Both the CIBER Delivery Order and the standard\nDelivery Order will be further modified to require Quarterly GFE Monitoring Reports by June 1,\n2000.\n\nRecommendation #9: The contractor should provide Oversight Managers an inventory of all GFE\nequipment purchases annually.\n\nManagement Response: We agree with the recommendation. Currently, FDIC approves all\nequipment purchases (i.e., GFE) by the DIRM contractors. This information will now be compiled\nby the DIRM GFE Coordinator and available for an annual inventory. Also, the Quarterly GFE\nMonitoring Report will be used to review GFE purchased by CIBER and other DIRM contractors\n(See Recommendation #8).\n\n\nFinding #6: There Were Instances of Inconsistent Application and Non-Compliance With FDIC\nPolicies and Procedures.\n\nRecommendation #10: Emphasize to the contractor that it must advise the Contracting Officer of\nproposed changes in key personnel, that it should obtain exemption from sales taxes, and that\nsupervisory personnel must approve time sheets submitted to FDIC for payment.\n\nManagement Response: We agree with the recommendation. All audit deficiencies will be\nsummarized and communicated by the Contracting Officer in writing to CIBER by July 31, 2000.\n\nRecommendation #11: DIRM will respond to this recommendation.\n\n\nFinding #7: FDIC Changed Labor Experience Criteria So It Did Not Conform With GSA Contract\nRequirements.\n\nRecommendation #12: FDIC should ensure that it operates within the scope of GSA contract\nrequirements when issuing delivery orders.\n\nManagement Response: We agree with the recommendation. The standard Delivery Order will be\nmodified to require a list of all key and non-key personnel and their resumes. Further, contractors\nwill be required to certify that all personnel working under the contract, including subcontractor\npersonnel, meet minimum (GSA or FDIC) experience requirements for the labor categories that are\ndefined in the contracts. The certifications will then be verified on a sample basis to ensure that all\ncontractor employees are billed in the correct labor categories. This will be implemented by July 28,\n2000. All Acquisition Section personnel will receive written instruction on this requirement prior to\nimplementation.\n\n\n\n                                                   14\n\x0cIf you have any questions regarding this response, you may contact Andrew O. Nickle, Audit Liaison\nfor the Division of Administration, at (202) 942-3190.\n\n\ncc:    Mike Rubino\n       Deborah Reilly\n       Dave McDermott\n       Rodney Cartwright\n       Mary Rann\n       Tom Harris\n       Andrew Nickle\n       Richard Johnson\n       Jesse Barrios\n\n\n\n\n                                               15\n\x0c                                                              EXHIBIT A\n\n\n                                                         DIVISION OF ADMINISTRATION\n\n                                                       SUMMARY OF MANAGEMENT DECISION\n                                                                                                                         EXPECTED     DOCUMENT\n                                       QUESTIONED         AMOUNT             DESCRIPTION OF CORRECTIVE                  COMPLETION    VERIFYING\nNO.    FINDING DESCRIPTION                COST          DISALLOWED                    ACTION                               DATE      COMPLETION\n 1    Contractor billed charges that\n      were not allowable under the                                      Management agreed with the findings and\n      contract.                                                         recommendation.\n\n      a.(1) Employee qualifications\n      not commensurate with billing\n      rates                                $293,315          $293,315   DOA will take recovery actions for all\n      a.(2) Subcontractor markups           216,974           216,974   amounts that the contractor is unable to\n      a.(3) Labor rates exceeded                                        adequately support.                                           Decision\n      GSA limits                             98,259            98,259                                                                Memorandum\n      a.(4) Volume discounts not                                                                                                         or\n      passed on to FDIC as agreed            34,372            34,372                                                                  Demand\n      a.(5) On-site billing rate not                                                                                                    Letter\n      charged for work performed at\n      FDIC                                   26,751            26,751                                                     09/29/00\n      a.(6) Less: effect of\n      overlapping questioned costs          (82,050)         (82,050)   DOA will offset the final amount of recovery\n                                                                        by the amount of this overlap.\n      CIBER did not conform with                                        Management agreed with the finding and\n 2\n      provisions of the GSA contract             -0-              -0-   recommendation.\n      and FDIC delivery orders.\n                                                                        DOA has been working with CIBER to\n                                                                        correct deficiencies noted by the OIG.                          Letter\n                                                                        (a) Where corrective actions are required for     07/31/00         /\n                                                                        current contracts, they will be summarized                       Draft\n                                                                        and formally communicated to CIBER.              Completed      CIBER\n                                                                        (b) Where contract language was found to be                    Contract\n                                                                        ambiguous, the related contract sections have                  Revisions\n                                                                        been revised for future CIBER contracts.\n\n\n                                                                        16\n\x0c                                                                   EXHIBIT A\n                                                                     (Con\xe2\x80\x99t)\n                                                      SUMMARY OF MANAGEMENT DECISION\n\n                                                                                                                           EXPECTED     DOCUMENT\n                                       QUESTIONED      AMOUNT       DESCRIPTION OF CORRECTIVE ACTION                      COMPLETION    VERIFYING\n                                          COST       DISALLOWED                                                              DATE      COMPLETION\nNO.    FINDING DESCRIPTION\n 3    Information provided by                                      Management agreed with the finding and\n      contractor on its invoices               -0-           -0-   recommendations.\n      was inadequate.                                                                                                                    Approved\n      a. Invoice format did not                                    a. ACSB has completed the reformatting of CIBER                        CIBER\n      provide adequate disclosure                                  invoices to include the elements recommended by                       Invoices\n      of all contractor charges.                                   the OIG.                                                 06/15/00         /\n      b. FDIC\xe2\x80\x99s review of CIBER                                    b. Implementing the redesigned invoice (3.a.) will                      APM\n      invoices did not include steps                               satisfy this recommendation. The revised APM                         Sec. 7.I.6;\n      to help detect unallowable                                   contains adequate guidance.                              06/15/00    Exhibit XX\n      charges.\n      c.(1) Procedures do not exist                                c.(1) DIRM will respond.                                 (DIRM)       (DIRM)\n      that ensure subcontractor\n      employees meet minimum\n      experience requirements.\n      c.(2) Subcontractors were not                                c.(2) DIRM will respond.                                 (DIRM)       (DIRM)\n      properly authorized in\n      advance        of their\n      participation as\n      required under their\n      contracts.\n 4    Contractor labor costs not               -0-           -0-   DIRM will respond.                                       (DIRM)       (DIRM)\n      monitored.\n 5    FDIC lacks adequate controls                                 Management agreed with the finding and\n      over Government equipment                -0-           -0-   recommendations.\n      purchased by the contractor.                                 a. DIRM will respond.                                    (DIRM)       (DIRM)\n      a. Surprise inventory                                        b. The CIBER delivery order was modified to require\n      inspections are not being                                    GFE serial numbers, location, contractor custodian,      06/01/00    Inventory\n      conducted by Oversight                                       etc. It will be further modified to also require                     Document\n      Managers.                                                    quarterly GFE monitoring reports for the current and                     /\n      b. CIBER did not provide                                     all future delivery orders.                                         Memorandum\n      information about equipment                                  c. Currently, FDIC approves all GFE purchases.                          Or\n      location and identity.                                       This information will now be compiled by DIRM            06/01/00    E-mail to\n      c. Contractor equipment                                      and available for annual inventory. Also, the quar-                    DIRM\n      inventory is not being kept                                  terly GFE monitoring report will be used to review\n      up to date.                                                  CIBER (and all other DIRM contractors\xe2\x80\x99) purchases\n                                                                   of GFE. This will be implemented with 5.b.\n\n\n                                                                       17\n\x0c                                                                  EXHIBIT A\n                                                                    (Con\xe2\x80\x99t)\n\n\n                                                   SUMMARY OF MANAGEMENT DECISION\n\n\n\n                                    QUESTIONED       AMOUNT                                                           EXPECTED     DOCUMENT\nNO.   FINDING DESCRIPTION              COST        DISALLOWED                                                        COMPLETION    VERIFYING\n                                                                   DESCRIPTION OF CORRECTIVE ACTION                     DATE      COMPLETION\n\n 6    Non-compliance with FDIC                                     Management agreed with the finding and\n      policies and procedures.               -0-            -0-    recommendation.\n                                                                                                                                    Letter\n      a. Changes in contractor                                     a. DOA will summarize the contract deficiencies     07/31/00       To\n      personnel, approval of time                                  and will communicate them formally to CIBER,                     CIBER\n      sheets, and taking required                                  emphasizing GSA and contract compliance going\n      tax exemptions.                                              forward.\n\n      b. Oversight Managers are                                    b. DIRM will respond.                               (DIRM)       (DIRM)\n      not reconciling invoice\n      billings with work progress\n      reports.\n\n\n 7    Contractor was overpaid for                                  Management agreed with the recommendation.\n      some positions that did not            -0-            -0-\n      meet GSA experience                                          ACSB currently requires resumes for all \xe2\x80\x98key\xe2\x80\x99                     ACSB\n      requirements. By accepting                                   contractor employees. Contractors will now also                   e-mail\n      these lower requirements,                                    be required to submit a list of non-key persons     07/28/00        or\n      FDIC did not conform with                                    and certify that they meet minimum experience                     Memo\n      GSA contract criteria.                                       requirements. This can then be verified on a\n                                                                   sample basis.\n\n\n\n             Totals                     $587,621       $587,621\n\n\n\n\n                                                                      18\n\x0cFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                          Division of Information Resources Management\n\n\n                                                                 May 11, 2000\n\n\nTO:                   David H. Loewenstein\n                      Assistant Inspector General\n\n\n\n\nFROM:                 Donald C. Demitros, Director\n\nSUBJECT:              DIRM Management Response to the Draft OIG Report Entitled, "Audit of\n                      Payments to CIBER, Inc.\xe2\x80\x9d (Audit No. 99-407)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft\naudit report and generally agrees with the findings and recommendations. Both DIRM and the\nDivision of Administration (DOA) are responding to recommendation numbers 4 and 5. DOA\nwill also respond to your recommendation numbers 1-3, 8-10 and 12 under separate cover.\nResponses to each of the OIG\'s specific recommendations directed to DIRM are provided below:\n\nManagement Decision:\n\nRecommendation: (4) The Associate Director, ACSB, DOA, and Director, DIRM, should\nensure that contract specialists\xe2\x80\x99 and oversight managers\xe2\x80\x99 review of CIBER\xe2\x80\x99s invoices includes\nsteps to detect unallowable charges for subcontractor markups, rate variances, volume discounts,\nand off-site rates.\n\n           Response: In a mandatory training course that DIRM will conduct for its Oversight\n           Managers (OMs), with ACSB\xe2\x80\x99s support, OMs will be advised to review their invoices for\n           unallowable charges for subcontractor markups, rate variance, volume discounts, and off-\n           site rates. Also, OMs will be advised in the training session to prepare a request to the\n           contracting officer to obtain on-site rates if these rates are not in their contract and they\n           have a subsequent requirement for on-site work. This course will be developed and\n           presented by the end of the third quarter, 2000.\n\nRecommendation: (5) The Director, DIRM, should develop procedures to ensure that (a)\nCIBER and subcontractor employees meet delivery order experience requirements and (b)\nsubcontractors are authorized in advance and their participation is limited to levels authorized in\nthe delivery orders.\n\n           Response: In a mandatory training course that DIRM will conduct for its Oversight\n           Managers, with ACSB\xe2\x80\x99s support, OMs will be advised to ensure that (a) contractors and\n           their subcontractors meet the labor category experience requirements and (b) that\n           subcontractors are authorized in advance by the contracting officer and limited to levels\n\n\n                                                     19\n\x0c       authorized in the delivery orders. By the end of the third quarter, 2000, DIRM will\n       develop a procedure that addresses these concerns.\n\nRecommendation: (6) The Director, DIRM, should develop procedures to ensure that CIBER\xe2\x80\x99s\nactual staffing more closely conforms to levels proposed and to notify the Contracting Officer in\ninstances when actual hours begin to deviate significantly from the proposed labor mix.\n\n       Response: In a mandatory training course that DIRM will conduct for its Oversight\n       Managers, with ACSB\xe2\x80\x99s support, OMs will be advised to closely monitor their\n       contractor\xe2\x80\x99s actual staffing hours against those proposed. Further, they will be advised\n       that a procedure will be issued requiring them to perform a quarterly review of their\n       proposed labor category hours versus actuals. If a significant increase is shown in any\n       category, OMs will be required to send an email to their contract specialist notifying\n       them of the finding and providing an explanation for the increase. Both the training and\n       procedure will be completed by the end of the third quarter, 2000.\n\nRecommendation: (7) The Director, DIRM, should ensure that Oversight Managers make\nperiodic site visits to conduct surprise inspections of equipment and confirm FDIC official\ninventory records.\n\n       Response: DIRM is currently addressing this problem. Following ACSB\'s completion of\n       GFE contract language updates to existing DIRM contracts, DIRM issued a\n       memorandum titled \xe2\x80\x9cDIRM Government Furnished Equipment (GFE) Policies and\n       Procedures." This memorandum was issued April 11, 2000 to DIRM\xe2\x80\x99s Oversight\n       Managers (OMs). The memorandum outlines responsibilities and procedures for\n       acquiring, safeguarding, and managing IT assets assigned to contractors, and for\n       reallocating GFE. It further states that DIRM\xe2\x80\x99s GFE Coordinator will work with OMs to\n       ensure that all GFE is inventoried and entered into ITAMS, DIRM\xe2\x80\x99s IT Asset\n       Management System. The DIRM GFE Coordinator and his supporting staff are in the\n       process of contacting each OM to coordinate the physical inventory and data capture of\n       GFE equipment at each contractor\xe2\x80\x99s site. All contractor off-site inventory and data\n       capture activities are scheduled to be completed by June 30, 2000. In addition, in the\n       mandatory training course that DIRM will conduct for its OMs, the OMs will be advised\n       to conduct surprise inspections at off-site contractor locations to verify equipment using\n       the ITAMS inventory.\n\nRecommendation: (11) The Director, DIRM, should reiterate to Oversight Managers the\nrequirements regarding reconciling invoices with status report.\n\n       Response: In a mandatory training course that DIRM will conduct for its Oversight\n       Managers, with ACSB\xe2\x80\x99s support, OMs will be advised to reconcile their invoices as\n       closely as possible with status reports. The training will be completed by the end of third\n       quarter, 2000.\n\nPlease address any questions to DIRM\'s Audit Liaison, Rack Campbell, on (703) 516-1422.\n\n\n\n                                               20\n\x0c                                                                                                                                APPENDIX II\n                                       MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance,\nseveral conditions are necessary. First, the response must describe for each recommendation\n\n   \xc2\xa7 the specific corrective actions already taken, if applicable;\n   \xc2\xa7 corrective actions to be taken together with the expected completion dates for their implementation; and\n   \xc2\xa7 documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons\nfor any disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions.\nThe information for management decisions is based on management\xe2\x80\x99s written response to our report and subsequent discussions with management\nrepresentatives.\n\n\n\n\n                                                                      21\n\x0c                                                                                                  Documentation That                    Management\n Rec.                                                                            Expected            Will Confirm        Monetary       Decision: Yes\nNumber          Corrective Action: Taken or Planned/Status                    Completion Date        Final Action        Benefits          or No\n         The Associate Director, ACSB, DOA, agreed with the\n                                                                                                                         $587,621 in\n         recommendation. DOA will disallow and pursue recovery of\n  1                                                                          September 29, 2000   Settlement Agreement   disallowed         Yes\n         amounts that cannot be adequately supported by the\n                                                                                                                            costs\n         contractor.\n         The Associate Director, ACSB, DOA, agreed with the\n         recommendation.\n         DOA has discussed the issues with the contractor and\n         rewritten sections of a subsequent CIBER delivery order to             July 31, 2000      Letter/Draft CIBER       Not\n  2                                                                                                                                         Yes\n         prevent similar billing irregularities in the future. Audit                               Contract Revisions    Quantifiable\n         findings identified in this report requiring corrective action\n         involving contract practices and billings will be identified\n         and communicated in writing by the Contracting Officer.\n         The Associate Director, ACSB, DOA, agreed with the\n         recommendation. DOA and CIBER have redesigned the                                          Approved CIBER          Not\n  3                                                                             June 15, 2000                                               Yes\n         Delivery Order invoices. The new invoice format will be                                        Invoices         Quantifiable\n         used by CIBER beginning with the June 15, 2000 invoice.\n         The Associate Director, ACSB, DOA, and the Director,\n         DIRM, agreed with the recommendation.\n         A) As noted for recommendation #3, the newly designed\n             CIBER invoice format will also address this\n             recommendation.\n         B) In a mandatory training course that DIRM will conduct                                 A) Approved CIBER\n             for its Oversight Managers (OMs), with ACSB\xe2\x80\x99s                   A) June 15, 2000        Invoices\n             support, OMs will be advised to review their invoices                                B) Course material\n             for unallowable charges for subcontractor markups, rate         B) September 29,\n                                                                                2000                 and verify\n             variance, volume discounts, and off-site rates. Also,                                                          Not\n  4                                                                                                  attendance.                            Yes\n             OMs will be advised in the training session to prepare a        C) June 8, 2000                             Quantifiable\n             request to the contracting officer to obtain on-site rates if                        C) Meeting/session\n             these rates are not in their contract and they have a                                   agenda/handouts\n             subsequent requirement for on-site work.                                                and verify\n         C) DIRM and DOA will jointly conduct a meeting/review                                       attendance\n             session with OMs and contract specialists of current\n             CIBER problems. This session will include a briefing on\n             the audit report findings and the changes being\n             implemented, especially with regard to the new invoice\n             format and the OMs responsibilities.\n\n\n\n                                                                                   22\n\x0c                                                                                                Documentation That                   Management\n Rec.                                                                         Expected             Will Confirm       Monetary       Decision: Yes\nNumber          Corrective Action: Taken or Planned/Status                 Completion Date         Final Action       Benefits          or No\n         The Director, DIRM, agreed with the recommendation.\n         A) In a mandatory training course that DIRM will conduct\n             for its OMs, with ACSB\xe2\x80\x99s support, OMs will be advised\n             to ensure that (a) contractors and their subcontractors\n             meet the labor category experience requirements and (b)\n             that subcontractors are authorized in advance by the\n             contracting officer and limited to levels authorized in the\n             delivery orders.\n         B) The Associate Director, ACSB, DOA, also provided a\n             secondary response. Regarding employee experience\n             requirements (Recommendation 5a), ACSB will provide                                Course material and      Not\n  5          the FDIC and GSA Schedule labor category descriptions         September 29, 2000                                            Yes\n                                                                                                verify attendance.    Quantifiable\n             to DIRM to facilitate its review of contractor personnel\n             qualifications. DIRM will be responsible for matching\n             resumes to contractual labor categories as well as\n             evaluating whether subcontractor employees are\n             qualified to work under FDIC contracts. After receiving\n             input from DIRM, the Contracting Officer will modify a\n             contract, if appropriate. With respect to\n             Recommendation 5b), only the Contracting Officer is\n             authorized to approve the DIRM subcontractor(s). The\n             Contracting Officer will act to approve contractors upon\n             an appropriate request from DIRM.\n         The Director, DIRM, agreed with the recommendation.\n         In a mandatory training course that DIRM will conduct for\n         its Oversight Managers, with ACSB\xe2\x80\x99s support, OMs will be\n         advised to closely monitor their contractor\xe2\x80\x99s actual staffing\n         hours against those proposed.                                                          Course material and\n                                                                                                verify attendance.       Not\n  6                                                                        September 29, 2000                                            Yes\n         Further, they will be advised that a procedure will be issued                                                Quantifiable\n                                                                                                Procedure document\n         requiring them to perform a quarterly review of their\n         proposed labor category hours versus actual. If a significant\n         increase is shown in any category, OMs will be required to\n         send an email to their contract specialist notifying them of\n         the finding and providing an explanation for the increase.\n\n\n\n\n                                                                                 23\n\x0c                                                                                             Documentation That                     Management\n Rec.                                                                        Expected           Will Confirm         Monetary       Decision: Yes\nNumber          Corrective Action: Taken or Planned/Status                Completion Date       Final Action         Benefits          or No\n         The Director, DIRM, agreed with the recommendation.\n         A) DIRM is currently addressing this problem. Following\n             ACSB\'s completion of GFE contract language updates to\n             existing DIRM contracts, DIRM issued a memorandum\n             titled \xe2\x80\x9cDIRM Government Furnished Equipment (GFE)\n             Policies and Procedures." This memorandum was issued\n             April 11, 2000 to DIRM\xe2\x80\x99s Oversight Managers (OMs).\n             The memorandum outlines responsibilities and\n             procedures for acquiring, safeguarding, and managing IT                         A) Memorandum\n             assets assigned to contractors, and for reallocating GFE.\n                                                                         A) Completed,       B) Inventory\n             It further states that DIRM\xe2\x80\x99s GFE Coordinator will work\n                                                                            April 11, 2000      Documents\n             with OMs to ensure that all GFE is inventoried and                                                         Not\n  7          entered into ITAMS, DIRM\xe2\x80\x99s IT Asset Management              B) June 30, 2000    C) Course material                         Yes\n                                                                                                                     Quantifiable\n             System.                                                     C) September 29,       and verify\n         B) The DIRM GFE Coordinator and his supporting staff               2000                attendance.\n             are in the process of contacting each OM to coordinate\n             the physical inventory and data capture of GFE\n             equipment at each contractor\xe2\x80\x99s site. All contractor off-\n             site inventory and data capture activities are scheduled\n             to be completed by June 30, 2000.\n         C) In addition, in the mandatory training course that DIRM\n             will conduct for its OMs, the OMs will be advised to\n             conduct surprise inspections at off-site contractor\n             locations to verify equipment using the ITAMS\n             inventory.\n         The Associate Director, ACSB, DOA, agreed with the\n         recommendation.\n         A) The CIBER Delivery Order has been modified and now                               A) Draft CIBER\n                                                                         A) Completed           Contract Revisions\n             requires the contractor to include GFE serial numbers,                                                     Not\n  8          location, contractor custodian, and other pertinent         B) June 1, 2000     B) Quarterly GFE                           Yes\n                                                                                                                     Quantifiable\n             information.                                                                       Monitoring\n         B) Both the CIBER Delivery Order and the standard Delivery                             Reports\n             Order will be further modified to require Quarterly GFE\n             Monitoring Reports by June 1, 2000.\n         The Associate Director, ACSB, DOA, agreed with the                                  A) Memorandum or\n         recommendation.                                                 A) June 1, 2000        email to DIRM.          Not\n  9                                                                                                                                     Yes\n         A) Currently, FDIC approves all equipment purchases (i.e.,      B) June 1, 2000     B) Quarterly GFE        Quantifiable\n             GFE) by the DIRM contractors. This information will                                Monitoring\n\n                                                                                24\n\x0c                                                                                                Documentation That                   Management\n Rec.                                                                         Expected             Will Confirm       Monetary       Decision: Yes\nNumber          Corrective Action: Taken or Planned/Status                 Completion Date         Final Action       Benefits          or No\n              now be compiled by the DIRM GFE Coordinator and                                      Reports\n              available for an annual inventory.\n         B) Also, the Quarterly GFE Monitoring Reports will be used\n              to review GFE purchased by CIBER and other DIRM\n              contractors (See Recommendation #8).\n         The Associate Director, ACSB, DOA, agreed with the\n         recommendation.\n         Emphasize to the contractor that it must advise the\n         Contracting Officer of proposed changes in key personnel,                                                       Not\n  10                                                                         July 31, 2000        Letter to CIBER                        Yes\n         that it should obtain exemption from sales taxes, and that                                                   Quantifiable\n         supervisory personnel must approve time sheets submitted to\n         FDIC for payment.\n\n         The Director, DIRM, agreed with the recommendation.\n         In a mandatory training course that DIRM will conduct for                              Course material and      Not\n  11     its Oversight Managers, with ACSB\xe2\x80\x99s support, OMs will be          September 29, 2000                                            Yes\n                                                                                                 verify attendance.   Quantifiable\n         advised to reconcile their invoices as closely as possible with\n         status reports.\n         The Associate Director, ACSB, DOA, agreed with the\n         recommendation.\n         The standard Delivery Order will be modified to require a list\n         of all key and non-key personnel and their resumes. Further,\n         contractors will be required to certify that all personnel\n  12     working under the contract, including subcontractor                 July 28, 2000      ACSB email or Memo\n                                                                                                                         Not\n                                                                                                                                         Yes\n         personnel, meet minimum (GSA or FDIC) experience                                                             Quantifiable\n         requirements for the labor categories that are defined in the\n         contracts. The certifications will then be verified on a sample\n         basis to ensure that all contractor employees are billed in the\n         correct labor categories.\n\n\n\n\n                                                                                 25\n\x0c'